5 Replies Latest reply: Jun 4, 2013 5:58 PM by Kary Tankink RSS

    Help with creating a signature


      Ok, so I am needing a little guidance on what I am missing here.


      I am trying to create a signature to protect a certain service/process like McAfee does for its own services using HIPS.  I am trying to create a rule to prevent users from changing the statup of the service,  modification of the files and termination of the process.  I am not seeing where to prevent termination of the service and my file mod rules dont appear to be working.  The service mod seems to be working.  Any help would be appreciated.

        • 1. Re: Help with creating a signature
          Kary Tankink
          I am not seeing where to prevent termination of the service

          Use the PROGRAM engine (open with terminate and open with modify directives). 


          Page 116 of:

          PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide



          my file mod rules dont appear to be working

          I'm not exactly sure what protection you're trying to gain with protecting myservice.exe, but if you include the Destination File parameter, then that SubRule will only work for move/rename operations of the file specified.  Try without the Destination File parameter, then you shouldn't be able to perform any of the selected directive operations against the filename.

          • 2. Re: Help with creating a signature

            Thanks for the reply, that did point me in the right direction.  Still  having problems trying to figure out how to write a signature to prevent  a process from being terminated.  I am trying to located any place that  may have signatures posted out on on the web so I can see some examples  of similar sigs.  Know aof any place?

            • 3. Re: Help with creating a signature
              Kary Tankink

              I'm not aware of any location where customer's post their custom signatures.  If any place, I would assume it would be on the McAfee community forums here.


              Just a quick signature test, I created this signature to:


              1. Prevent the Windows Spooler service from being stopped.

                ePolicy Orchestrator 5.0.0 (Build_ 1160)_2013-05-31_18-10-32.jpg

              2. Prevent spoolsv.exe from being terminated by Windows Task Manager.

                ePolicy Orchestrator 5.0.0 (Build_ 1160)_2013-05-31_18-14-17.jpg




              *NOTE: Further testing will need to be done to make sure this doesn't cause any issues though.

              • 4. Re: Help with creating a signature

                Thanks for the response Kary.  My signature is failing for me still.  My three objectives are to prevent a service from being stopped, startup mode changed, process killed, or file removed or renamed.  Here are rules I created for a Windows 7 x64 system that only partially works.


                1.  Rule to prevent file from delete or rename.

                File Protection.png

                This rule seems to work as designed with no problems.



                2. Prevent the service from being stopped or startup mode changed



                This rule only partially works.  it blocked my ability to change the startup mode from automatic to disabled, but it does not prevent me from choosing Stop or Restart.



                3.  Prevent the process from being terminated by user.


                I did at one point get this signature to work, but it would go crazy tripping.  Some reason this does not trip anymore after I recreated it.  I am guessing that I need to put in a process like taskmgr.exe and cmd.exe under the caller module/include and/or exlcude local\system under user?  Not sure why this signature doesnt work though.


                Any ideas? Your help is greatly appreciated.

                • 5. Re: Help with creating a signature
                  Kary Tankink

                  On my Win7 x64 system, I performed all these operations you mentioned just fine with these rules.  If you continue to have issues, I would suggest opening a Service Request with McAfee Support to troubleshoot further.


                  • For file protection, the **\ was required.
                  • For program protection, I remove the "open_with_any" as it triggered way too many times on just normal functionality by other applications.
                  • For program protection, I used taskmgr.exe and taskkill.exe to test with.  Both were blocked.
                  • For service protection, I was blocked by setting Automatic, Manual, or  Disabled.  I did encounter some Windows errors testing with Automatic Delayed Start, but it wasn't related to HIPS.


                  2013-06-04 17_50_15-ePolicy Orchestrator 5.0.0 (Build_ 1160).jpg

                  2013-06-04 17_49_53-ePolicy Orchestrator 5.0.0 (Build_ 1160).jpg

                  2013-06-04 17_49_24-ePolicy Orchestrator 5.0.0 (Build_ 1160).jpg


                  Message was edited by: ktankink.   Corrections to protections (in italics). on 6/4/13 5:58:34 PM CDT